FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 271862

This article discusses when FortiGate is not able to send logs to FortiAnalyzer with FIPS -CC mode enabled in version 7.2.5.

Scope FortiGate v7.2.5.

For versions 7.2.5 and 7.4.0, FIPS FortiGate will do the FortiAnalyzer certificate check. The following error will appear in OFTP debugs on FortiGate:

SSL_info_callback:320] SSL Alert read: fatal bad certificate
SSL_info_callback:330] error
SSL_info_callback:349] Error error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate

There are some configuration changes required on both FortiGate and FortiAnalyzer:


  1. A custom certificate needs to be created on both FortiGate and FortiAnalyzer. Certificates can be created by generating CSRs on each unit and sending them to the CA for signing.
  2. These certificates should be signed by the same CA
  3. Upload the CA certificate under the FortiAnalyzer and FortiGate CA certificate sections.
  4. FortiGate needs to disable the certificate verification with 'set certificate-verification disable'.

Here is the requirement for the certificate: In v7.2.5 the OFTP certificate check has changed. FortiAnalyzer and FIPS-CC mode FortiGate each need to have a certificate signed by the same CA.


CA cert requirement:

  • Basic Constraints shall be present and the value shall be 'true'.
  •  Key Usage shall contain the cRLSign bit.
  • FortiAnalyzer cert is not revoked.
  • FortiAnalyzercert requirement:
    FortiGate expects that the subject in FortiAnalyzer OFTP server cert matches the identity that is specified by 'set server <ip/hostname>' in the 'config log fortianalyzer setting' section. (example: set server
    CN and SAN should match the IP/DNS of the CN (example:
    Extended key usage field should not be missing.
    The validity of the cert.


FortiGate cert requirement:

  •  FIPS-CC FortiGate needs to have a certificate signed by the same CA.
  • Normal mode FortiGate will lose connectivity to FortiAnalyzer, therefore they also need to have the certificate installed. This can be a wildcard certificate from the same CA


 Here is configuration example:


config log fortianalyzer setting

    set status enable

    set server ""

    set certificate-verification disable

    set serial "FAZ-VM0000xxxxxx"

    set certificate "FIPS-FGT-Cert"

    set upload-option realtime


  config system certificate oftp

    set mode local

    set local "FAZ-Cert"



After changing the OFTP setting on FortiAnalyzer, it is necessary to restart the daemon using the command 'diag test application oftpd 99'.

If it still does not work, try to change the FortiGate certificate to a wildcard certificate.